Information within organizations and entities is often classified as sensitive either for business reasons or for legal reasons. This information may reside within documents, drawings, machinery, layout, use of equipment, text files, databases, images, pictures, etc. In addition to the potential threat of an unscrupulous party illegally accessing the organization from the outside via an electronic network, and then removing or disrupting the information, there exists the risk of intentional or inadvertent transmission of the sensitive information from inside the organization to the outside. For example, a disgruntled employee might send an image of a sensitive document to which he or she has access to an outside party via a mobile device, thus causing harm to the organization.
In addition to simple business reasons for not wanting sensitive information to be released, i.e., the desire to keep trade secrets secret, many new government regulations mandate controls over information (requiring the sensitive information not to be released outside the company) and companies must comply in view of significant penalties. For example, HIPAA regulates health information, BASEL II regulates financial information, Sarbanes-Oxley regulates corporate governance, and a large number of states have passed data privacy laws requiring organizations to notify consumers if their information is released. Companies are even subject to a regular information technology audit which they can fail if they do not employ suitable controls and standards.
Technology companies have reacted to this environment with a host of data loss prevention (DLP) products. These products are typically hardware/software platforms that monitor and prevent sensitive information from being leaked outside the company. These DLP products are also known as data leak prevention, information leak prevention, etc. Gateway-based DLP products are typically installed at the company's Internet network connection and analyze outgoing network traffic for unauthorized transmission of sensitive information. These products typically generate a unique signature of the sensitive information when stored within the company, and then look for these signatures as information passes out over the network boundary, searching for the signatures of the sensitive information. Host-based DLP products typically run on end-user workstations within the organization. These products can address internal as well as external release of information and can also control information flow between groups of users within an organization. These products can also monitor electronic mail and instant messaging communications and block them before they are sent.
Sensitive information from within a company—or sensitive information of an individual—may be in the form of text, numerical information, a picture, image or video, and may be transmitted from a computer server to an endpoint computing device of the individual. For example, certain sensitive data of individual (such as bank account information or individual-specific company information) is very important to an individual and should not be lost or inadvertently revealed. Unauthorized use of an individual's sensitive information may cause a financial loss or damage to personal reputation. In today's environment where more and more people use a mobile telephone to legally download their own needed sensitive information (perhaps for a temporary use) it can be more important to safeguard this information because a mobile telephone may be easily lost, stolen or taken temporarily. Further, individuals are often using public computers or other computers in a location that is not secure.
Previous techniques have used a policy-based data loss prevention technique in order to scan the contents of the data before it is transferred or downloaded, and to block the data or to encrypt it if a policy is violated. But, implementing and enforcing a data usage policy is resource intensive and encrypting the data may not always be viable. What is desired is an improved technique for preventing the loss of sensitive information while allowing an individual to access the information where appropriate.